For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

sjy2025's avatar
sjy2025
Icon for Nimbostratus rankNimbostratus
Jul 22, 2025
Solved

iRule, Traffic Policy or Re-Write Policy

  Hi, I have created an iRule that maps source addresses to a particular pool when CLIENT_ACCEPTED { if {[class match [IP::client_addr] equals clients1] } {      pool POOL_1    } elseif {[class...
iRules
rewrite
traffic policy
  • Injeyan_Kostas's avatar
    Injeyan_Kostas
    Sep 24, 2025

    you may see  https://hostnameA.test.com:666 in the browser for many reasons
    thats why I am asking if there is a redirect response (301 or 302) or there is something else

    anyway give this a try

    when HTTP_REQUEST 
{
    STREAM::disable
    HTTP::header remove "Accept-Encoding"

	if {[IP::addr [IP::client_addr] equals 192.168.1.1] } 
	{
		pool POOL_A
		set selected_hostname "hostnameA.test.com"
		HTTP::header replace Host $selected_hostname
	} 
	elseif {[IP::addr [IP::client_addr] equals 192.168.2.1] }
	{
		pool POOL_B
		set selected_hostname "hostnameB.test.com"
		HTTP::header replace Host $selected_hostname
	} 
	elseif {[IP::addr [IP::client_addr] equals 192.168.3.1] }
	{
		pool POOL_C
		set selected_hostname "hostnameC.test.com"
		HTTP::header replace Host $selected_hostname
	}
}

when HTTP_RESPONSE 
{
    if {[HTTP::header exists "Location"] && [info exists selected_hostname]}
    {
        set loc [HTTP::header "Location"]
        if {[string match "https://$selected_hostname:666*" $loc]} 
        {
            HTTP::header replace "Location" [string map "https://$selected_hostname:666 https://example.com" $loc]
        }
    }
    if {[HTTP::header "Content-Type"] contains "text" && [info exists selected_hostname]}
    {
		STREAM::expression "@https://$selected_hostname@https://example.com@"
		STREAM::enable
    }
}

     

sjy2025's avatar
sjy2025
Icon for Nimbostratus rankNimbostratus
Sep 26, 2025

Hi,

Thought I would feedback, as I couldn't get the response to work.

I have got the source > pool > to re-write working which is great, although it does still show the backend server, its a test environment and is reducing my admin, so thank you

I found your iRule really useful for understanding as well

 

I think the response isn't working as there is a unusual setup, which does the following

 

client to uri = https://example.com

F5 rewrites to https://hostnameA.test.com:666

Then there is another redirects that sends to the

F5 rewrites to https://other.test.com:443 (this is returned in the browser)

I'm still looking at it

Thanks

 

 

 

 

Injeyan_Kostas's avatar
Injeyan_Kostas
Icon for Nacreous rankNacreous
Sep 26, 2025

You mention Keycloak,
Do you use as IDP?

You have to check what urls are defined in the config. Either it uses SAML or OAuth